Subscribe here

slides for
theory lectures
(DON’T SKIP THEM, THEY ARE SUPER
IMPORTANT 🤓)

Follow me here
📖 TABLE OF CONTENTS: THEORY LECTURES (CLICK THE TITLES)

1 What Is Node.js and Why Use It? 13 APIs and RESTful API Design

2 Blocking and Non-Blocking: Asynchronous Nature of Node.js 14 Middleware and the Request-Response Cycle

3 An Overview of How the Web Works 15 What is MongoDB?

4 Front-End vs. Back-End Web Development 16 What Is Mongoose?

5 Static vs Dynamic vs API 17 Intro to Back-End Architecture: MVC, Types of Logic, and More

6 Node, V8, Libuv and C++ 18 An Overview of Error Handling

7 Processes, Threads and the Thread Pool 19 How Authentication with JWT Works

8 The Node.js Event Loop 20 Security Best Practices

9 Events and Event-Driven Architecture 21 MongoDB Data Modelling

10 Introduction to Streams 22 Designing Our Data Model

11 How Requiring Modules Really Works 23 Credit Card Payments with Stripe

12 What is Express? 24 Final Considerations

 SECTION 2 —
INTRODUCTION TO
NODE.JS
SECTION
INTRODUCTION TO NODE.JS

LECTURE
WHAT IS NODE.JS AND WHY USE IT?
WHAT IS NODE.JS?

NOD E . J S

NODE.JS
NODE.JS IS
IS A
A JAVASCRIPT
JAVASCRIPT RUNTIME
BUILT ON GOOGLE’S OPEN-SOURCE
V8 ENGINE. 🤔
V8 JAVASCRIPT ENGINE.
NODE.JS: JAVASCRIPT OUTSIDE OF THE BROWSER

V8

BROWSER NODE.JS
JAVASCRIPT ON THE SERVER!

Perfect conditions for using Node.js

as a web server

We can use JavaScript on the server-

side of web development 😁

Build fast, highly scalable network

applications (back-end)
WHY AND WHEN TO USE NODE.JS?

NODE. J S P R O S USE N O D E . J S

👉 Single-threaded, based on event driven, non-blocking 👉 API with database behind it (preferably NoSQL);
I/O model 🤯 😅
👉 Data streaming (think YouTube);
👉 Perfect for building fast and scalable data-intensive 👉 Real-time chat application;
apps;
👉 Server-side web application.
👉 Companies like have
started using node in production;

👉 JavaScript across the entire stack: faster and more

D O N ’ T U S E
efficient development;

👉 NPM: huge library of open-source packages available

👉 Applications with heavy server-side processing
for everyone for free;
(CPU-intensive).
👉 Very active developer community.
SECTION
INTRODUCTION TO NODE.JS

LECTURE
BLOCKING AND NON-BLOCKING:
ASYNCHRONOUS NATURE OF NODE.JS
SYNCHRONOUS VS. ASYNCHRONOUS CODE (BLOCKING VS. NON-BLOCKING)

SYNCHRONOUS ASYNCHRONOUS

BLOCKING 👎 NON-BLOCKING 👍
THE ASYNCHRONOUS NATURE OF NODE.JS: AN OVERVIEW

U S
(Oversimplified

NODE.JS PROCESS
version)
SYNC H R O N O
This is where our app runs WAY
Read large
text file

Login
SINGLE
Requesting
THREAD
data
BLOCKED
This is where our
Requesting
code is executed.
data Only one thread 👉 It’s YOUR job as a developer
to avoid this kind of situation!
Login
THE ASYNCHRONOUS NATURE OF NODE.JS: AN OVERVIEW

U S
(Oversimplified

NODE.JS PROCESS
version)
ASYNCH R O N O
This is where our app runs WAY
Read large
Display
text file
read data

Login
SINGLE “BACK-
Requesting
THREAD GROUND”
data
This is where our This is where
code is executed. time-consuming
Requesting
Only one thread tasks should be
data
👉 Non-blocking I/O model
executed!
Login More on this later!
👉 This is why we use so many
callback functions in Node.js

👉 Callbacks ≠ Asynchronous
THE PROBLEM: CALLBACK HELL...

C K H E L L
CAL L B A

👉 SOLUTION: Using Promises or Async/Await [Optional Section]

 SECTION 3 —
INTRODUCTION TO
BACK-END WEB
DEVELOPMENT
SECTION
INTRODUCTION TO BACK-END WEB
DEVELOPMENT

LECTURE
AN OVERVIEW OF HOW THE WEB WORKS
WHAT HAPPENS WHEN WE ACCESS A WEBPAGE

👉 Request-response model or Client-server architecture

REQUEST
CLIENT
SERVER
(e.g. browser)

* 🌐
RESPONSE
WHAT HAPPENS WHEN WE ACCESS A WEBPAGE

GET /maps HTTP/1.1 Start line: HTTP method + request target + HTTP version

DNS Host: www.google.com

h"ps://216.58.211.206:443 User-Agent: Mozilla/5.0 HTTP request headers (many different possibilities)

Accept-Language: en-US

DNS LOOKUP
1 <BODY> Request body (only when sending data to server, e.g. POST)

HTTP REQUEST 3
CLIENT
SERVER
(e.g. browser) 2 TCP/IP socket connection

* 🌐
h"ps://www.google.com/maps HTTP RESPONSE 4

HTTP/1.1 200 OK Start line: HTTP version + status code + status message

Protocol Domain name Resource Date: Fri, 18 Jan 2021

(HTTP or HTTPS) Content-Type: text/html HTTP response headers (many different possibilities)
Transfer-Encoding: chunked

<BODY> Response body (most responses)

WHAT HAPPENS WHEN WE ACCESS A WEBPAGE

GET /maps HTTP/1.1 Start line: HTTP method + request target + HTTP version

DNS Host: www.google.com

h"ps://216.58.211.206:443 User-Agent: Mozilla/5.0 HTTP request headers (many different possibilities)

Accept-Language: en-US

DNS LOOKUP
1 <BODY> Request body (only when sending data to server, e.g. POST)

HTTP REQUEST 3
CLIENT
SERVER
(e.g. browser) 2 TCP/IP socket connection

* 🌐
h"ps://www.google.com/maps HTTP RESPONSE 4

5
index.html is the first to be loaded HTTP/1.1 200 OK Start line: HTTP version + status code + status message

👇 Date: Fri, 18 Jan 2021

Scanned for assets: JS, CSS, images Content-Type: text/html HTTP response headers (many different possibilities)
👇 Transfer-Encoding: chunked

Process is repeated for each file <BODY> Response body (most responses)
SECTION
INTRODUCTION TO BACK-END WEB
DEVELOPMENT

LECTURE
FRONT-END VS. BACK-END WEB
DEVELOPMENT
FRONT-END AND BACK-END

FRO N T - E N D B A C K - E N D

WEB SERVER

HTTP
BROWSER App DATABASE
Server

Files

FRONT-END STACK BACK-END STACK

SECTION
INTRODUCTION TO BACK-END WEB
DEVELOPMENT

LECTURE
STATIC VS DYNAMIC VS API
STATIC WEBSITES VS DYNAMIC WEBSITES
STATIC

BROWSER

👉 JavaScript ≠ Dynamic

SERVER-SIDE RENDERING
DYNAMIC

GET BUILD
DATABASE BROWSER
DATA WEBSITE

TEMPLATE
👉 Web application = Dynamic website + Functionality
DYNAMIC WEBSITES VS API-POWERED WEBSITES

THIS COURSE 🚀 😍 SERVER-SIDE RENDERED

DYNAMIC

GET BUILD
DATABASE BROWSER
DATA WEBSITE

TEMPLATE

CLIENT-SIDE RENDERED
BUILDING API CONSUMING API

GET BUILD
API

DATABASE JSON BROWSER

DATA WEBSITE

TEMPLATE
ONE API, MANY CONSUMERS

BROWSERS

h"ps://www.jonas.io/api/myCourseData NATIVE
MOBILE APP

NATIVE
MOBILE APP
API

NATIVE
APP

NATIVE
APP
 SECTION 4 —
HOW NODE.JS WORKS:
A LOOK BEHIND THE
SCENES
SECTION
HOW NODE.JS WORKS: A LOOK BEHIND
THE SCENES

LECTURE
NODE, V8, LIBUV AND C++
THE NODE.JS ARCHITECTURE BEHIND THE SCENES

JS & 100%
C++ JS
OUR
JAVASCRIPT
CODE
JS &
C++
C++

EVENT LOOP THREAD POOL

Thread Thread
#1 #2

Thread Thread
#3 #4

http-parser c-ares OpenSSL zlib

SECTION
HOW NODE.JS WORKS: A LOOK BEHIND
THE SCENES

LECTURE
PROCESSES, THREADS AND THE THREAD
POOL
NODE PROCESS AND THREADS

NODE.JS PROCESS (Instance of a program in execution on a computer)

SINGLE THREAD (Sequence of instructions)

Initialize program

THREA D P O O L :
Execute “top-level” code

👉 Additional 4 threads (or more)

Require modules
THREAD POOL
👉 Offload work from the event loop

Register event callbacks Thread Thread

#1 #2 👉 Handle heavy (“expensive”) tasks:

D ING
F LOA 👉 File system APIs
START EVENT LOOP OF
Thread Thread
👉 Cryptography
#3 #4
👉 Compression

👉 DNS lookups
SECTION
HOW NODE.JS WORKS: A LOOK BEHIND
THE SCENES

LECTURE
THE NODE.JS EVENT LOOP
THE HEART OF NODE.JS: THE EVENT LOOP

NODE.JS PROCESS

SINGLE THREAD
EVEN T L O O P :
EVENT LOOP

New HTTP
E
👉 All the application code that is inside
request
callback functions (non-top-top-level code)

Timer expired
E 👉 Node.js is build around callback functions

Finished file
👉 Event-driven architecture:
reading E

👉 Events are emitted

👉 Event loops picks them up

👉 Callbacks are called

👉 Event loop does orchestration

THE EVENT LOOP IN DETAIL

START
CALLBACK
QUEUES

Expired timer callbacks C C

YES
I/O polling and callbacks C C C C

Any pending C PROCESS.NEXTTICK() QUEUE

Exit program timers or I/O
NO tasks?
C C C OTHER MICROTASKS QUEUE
setImmediate callbacks C
(Resolved promises)

Close callbacks C C
SUMMARY OF THE EVENT LOOP: NODE VS. OTHERS

SINGLE THREAD
WITH EVENT LOOP DON’T B L O C K !
NG
OFFLOADI

👉 Don’t use sync versions of functions in

fs, crypto and zlib modules in your
callback functions

👉 Don’t perform complex calculations

(e.g. loops inside loops)
NEW THREAD
👉 Be careful with JSON in large objects
NEW THREAD

NEW THREAD 👉 Don’t use too complex regular

expressions (e.g. nested quantifiers)
NEW THREAD

NEW THREAD
SECTION
HOW NODE.JS WORKS: A LOOK BEHIND
THE SCENES

LECTURE
EVENTS AND EVENT-DRIVEN
ARCHITECTURE
THE EVENT-DRIVEN ARCHITECTURE

OBSERVER PATTERN

Attached
Event emitter Event listener
EMITS CALLS
callback function
EVENTS

EMITTER LISTENER

‘request’
event
NEW REQUEST
Request received
ON SERVER

👉 Instance of EventEmitter class

SECTION
HOW NODE.JS WORKS: A LOOK BEHIND
THE SCENES

LECTURE
INTRODUCTION TO STREAMS
WHAT ARE STREAMS?

STR E A M S

Used to process (read and write) data piece by piece (chunks),

without completing the whole read or write operation, and
therefore without keeping all the data in memory.

👉 Perfect for handling large volumes of data, for example videos;

👉 More efficient data processing in terms of memory (no need to keep all data in
memory) and time (we don’t have to wait until all the data is available).
NODE.JS STREAMS FUNDAMENTALS
👉 Streams are instances of DESCRIPTION EXAMPLE IMPORTANT EVENTS IMPORTANT FUNCTIONS
the EventEmitter class! 👇 👇 👇 👇

Streams from which

👉 http requests 👉 data 👉 pipe()
READABLE STREAMS we can read
👉 fs read streams 👉 end 👉 read()
(consume) data

Streams to which we 👉 http responses 👉 drain 👉 write()

WRITABLE STREAMS can write data 👉 fs write streams 👉 finish 👉 end()

Streams that are CONSUME STREAMS

DUPLEX STREAMS both readable and 👉 net web socket
writable

Duplex streams that

TRANSFORM STREAMS transform data as it 👉 zlib Gzip creation
is written or read
SECTION
HOW NODE.JS WORKS: A LOOK BEHIND
THE SCENES

LECTURE
HOW REQUIRING MODULES REALLY WORKS
THE COMMONJS MODULE SYSTEM

👉 Each JavaScript file is treated as a separate module;

👉 Node.js uses the CommonJS module system: require(), exports or module.exports;

👉 ES module system is used in browsers: import/export;

👉 There have been attempts to bring ES modules to node.js (.mjs).

Where does it come from?

WHAT HAPPENS WHEN WE REQUIRE() A MODULE

RESOLVING & RETURNING

WRAPPING EXECUTION CACHING
LOADING EXPORTS

👉 Core modules
PATH RESOLVING: HOW NODE DECIDES WHICH MODULE TO LOAD

/ Start with core modules;

👉 Developer modules

0 If begins with ‘./‘ or ‘../‘ 👉 Try to load developer module;

1 If no file found 👉 Try to find folder with index.js in it;

👉 3rd-party modules (from NPM)
2 Else 👉 Go to node_modules/ and try to find module there.
WHAT HAPPENS WHEN WE REQUIRE() A MODULE

RESOLVING & RETURNING

LOADING WRAPPING EXECUTION CACHING
LOADING EXPORTS

Where does it come from?

👉 require: function to require modules;

👉 module: reference to the current module;

👉 exports: a reference to module.exports, used to export object from a module;

👉 __filename: absolute path of the current module’s file;

👉 __dirname: directory name of the current module.

WHAT HAPPENS WHEN WE REQUIRE() A MODULE

RESOLVING & RETURNING

LOADING WRAPPING EXECUTION CACHING
LOADING EXPORTS

👉 require function returns exports of the required module;

Requiring module 2
👉 module.exports is the returned object (important!);

👉 Use module.exports to export one single variable, e.g. one

MODULE MODULE
class or one function (module.exports = Calculator); 1 2

👉 Use exports to export multiple named variables

(exports.add = (a, b) => a + b);
Exporting from module 2
👉 This is how we import data from one module into another;
Importing to module 1
WHAT HAPPENS WHEN WE REQUIRE() A MODULE

RESOLVING & RETURNING

LOADING WRAPPING EXECUTION CACHING
LOADING EXPORTS
 SECTION 6 —
EXPRESS: LET'S START
BUILDING THE
NATOURS API!
SECTION
EXPRESS: LET'S START BUILDING THE
NATOURS API!

LECTURE
WHAT IS EXPRESS?
WHAT IS EXPRESS, AND WHY USE IT?

👉 Express is a minimal node.js framework, a higher level of

abstraction;

👉 Express contains a very robust set of features: complex

routing, easier handling of requests and responses,
middleware, server-side rendering, etc.;

👉 Express allows for rapid development of node.js

applications: we don’t have to re-invent the wheel;

👉 Express makes it easier to organize our application into the

MVC architecture.
SECTION
EXPRESS: LET'S START BUILDING THE
NATOURS API!

LECTURE
APIS AND RESTFUL API DESIGN
WHAT IS AN API ANYWAY?

API
Application Programming Interface: a piece of software that can be used by
another piece of software, in order to allow applications to talk to each other.

👉 Web APIs 👉 But, “Application” can be other things:

👉 Node.js’ fs or http APIs (“node APIs”);

👉 Browser’s DOM JavaScript API;

👉 With object-oriented programming, when exposing

methods to the public, we’re creating an API;

👉 ...
THE REST ARCHITECTURE

Separate API into logical

1 resources

Expose structured,
2 resource-based URLs

3 Use HTTP methods (verbs)

Send data as JSON

4 (usually)

5 Be stateless
THE REST ARCHITECTURE

👉 Resource: Object or representation of something, which

has data associated to it. Any information that can be
named can be a resource.
Separate API into logical
1 resources tours users reviews

Expose structured, URL

2 resource-based URLs
https://www.natours.com/addNewTour

ENDPOINT
3 Use HTTP methods (verbs)

/getTour
Send data as JSON
4 (usually) 👉 Endpoints should contain
/updateTour
only resources (nouns),
B A D 👎
/deleteTour and use HTTP methods
5 Be stateless for actions!
/getToursByUser

/deleteToursByUser
THE REST ARCHITECTURE
Tour id

/addNewTour POST /tours 👉 Create

Separate API into logical

1 resources /getTour GET /tours/7 👉 Read

/updateTour PUT /tours/7 👉 Update

Expose structured,
2 resource-based URLs
PATCH /tours/7

3 Use HTTP methods (verbs)

/deleteTour DELETE /tours/7 👉 Delete

Send data as JSON CRUD

4 (usually)
HTTP METHODS OPERATIONS

5 Be stateless /getToursByUser GET /users/3/tours

👉 Possibilities
are endless!
/deleteToursByUser DELETE /users/3/tours/9
THE REST ARCHITECTURE

String Value Key-value pair

👉 JSend
Separate API into logical
1 resources

Expose structured,
2 resource-based URLs RESPONSE
FORMATTING

3 Use HTTP methods (verbs)

Send data as JSON

4 (usually)

5 Be stateless Object Array 👉 JSON:API

👉 OData JSON Protocol

h"ps://www.natours.com/tours/5
👉 ...
THE REST ARCHITECTURE

👉 Stateless RESTful API: All state is handled on the client. This means that each
request must contain all the information necessary to process a certain request.
The server should not have to remember previous requests.
Separate API into logical
1 resources
👉 Examples of state: loggedIn currentPage

Expose structured,
2 resource-based URLs

currentPage = 5 STATE ON SERVER

3 Use HTTP methods (verbs)

BAD 👎 WEB nextPage = currentPage + 1

GET /tours/nextPage
SERVER send(nextPage)
Send data as JSON
4 (usually)

WEB
5 Be stateless GET /tours/page/6
SERVER
send(6)

STATE COMING FROM CLIENT

SECTION
EXPRESS: LET'S START BUILDING THE
NATOURS API!

LECTURE
MIDDLEWARE AND THE REQUEST-
RESPONSE CYCLE
THE ESSENCE OF EXPRESS DEVELOPMENT: THE REQUEST-RESPONSE CYCLE

👉 “Everything is middleware” (even routers) 👉 “Pipeline”

👉 Order as defined in the code!

MIDDLEWARE STACK

REQ RES // Middleware // Middleware // Middleware // Middleware

INCOMING
OBJ OBJ ... ... ... ... RESPONSE
REQUEST
next() next() next() res.send(...)

👉 E.g: parsing body 👉 E.g: logging 👉 E.g: setting headers 👉 E.g: router

REQUEST-RESPONSE CYCLE
 SECTION 7 —
INTRODUCTION TO
MONGODB
SECTION
INTRODUCTION TO MONGODB

LECTURE
WHAT IS MONGODB?
MONGODB: AN OVERVIEW

> >
DATABASE

DATABASE COLLECTIONS DOCUMENTS

(“Tables”) (“Rows”)

👉 NoSQL blog post

users user

reviews review
WHAT IS MONGODB?

MON G O D B
“MongoDB is a document database with the scalability and flexibility that you want
with the querying and indexing that you need”

KEY MONGODB FEATURES:

👉 Document based: MongoDB stores data in documents (field-value pair data structures, NoSQL);

👉 Scalable: Very easy to distribute data across multiple machines as your users and amount of data grows;

👉 Flexible: No document data schema required, so each document can have different number and type of fields;

👉 Performant: Embedded data models, indexing, sharding, flexible documents, native duplication, etc.

👉 Free and open-source, published under the SSPL License.

DOCUMENTS, BSON AND EMBEDDING

DOCUMENT STRUCTURE RELATIONAL DATABASE

👉 BSON: Data format MongoDB uses for data storage. Like

Column
JSON, but typed. So MongoDB documents are typed.

Unique ID

Values (typed) “JOIN tables”

Fields Reference by
comments_id
Embedded
documents

👉 Data is always normalized

👉 Embedding/Denormalizing: Including related data into a single document.
This allows for quicker access and easier data models (it’s not always the
best solution though).
 SECTION 8 —
USING MONGODB WITH
MONGOOSE
SECTION
USING MONGODB WITH MONGOOSE

LECTURE
WHAT IS MONGOOSE?
WHAT IS MONGOOSE, AND WHY USE IT?

👉 Mongoose is an Object Data Modeling (ODM) library for

MongoDB and Node.js, a higher level of abstraction;

👉 Mongoose allows for rapid and simple development of

mongoDB database interactions;

👉 Features: schemas to model data and relationships, easy

data validation, simple query API, middleware, etc;

👉 Mongoose schema: where we model our data, by describing

the structure of the data, default values, and validation;

👉 Mongoose model: a wrapper for the schema, providing an

interface to the database for CRUD operations.

SCHEMA MODEL
SECTION
USING MONGODB WITH MONGOOSE

LECTURE
INTRO TO BACK-END ARCHITECTURE:
MVC, TYPES OF LOGIC, AND MORE
MVC ARCHITECTURE IN OUR EXPRESS APP

BUSINESS LOGIC

tourModel.js

MODEL userModel.js

...

APPLICATION LOGIC

REQUEST ROUTER CONTROLLER RESPONSE

tourRouter.js

userRouter.js
tourController.js overview.pug
...
userController.js tour.pug

...
VIEW login.pug

...

PRESENTATION LOGIC
APPLICATION VS. BUSINESS LOGIC

APPLICATION LOGIC CONTROLLER MODEL BUSINESS LOGIC

👉 Code that is only concerned about the application’s
implementation, not the underlying business problem
we’re trying to solve (e.g. showing and selling tours);
👉 Concerned about managing requests and responses;
👉 Code that actually solves the business problem we set
out to solve;
👉 Directly related to business rules, how the business
works, and business needs;

👉 About the app’s more technical aspects; 👉 Examples:

👉 Bridge between model and view layers. 👉 Creating new tours in the database;

👉 Checking if user’s password is correct;

👉 Validating user input data;

👉 Ensuring only users who bought a tour can review it.

👉 Fat models/thin controllers: offload as much logic as possible into the

models, and keep the controllers as simple and lean as possible.
 SECTION 9 —
ERROR HANDLING
WITH EXPRESS
SECTION
ERROR HANDLING WITH EXPRESS

LECTURE
AN OVERVIEW OF ERROR HANDLING
ERROR HANDLING IN EXPRESS: AN OVERVIEW

OPERATIONAL ERRORS PROGRAMMING ERRORS

ERROR

ERROR
Problems that we can predict will Bugs that we developers introduce
ERROR
happen at some point, so we just need into our code. Difficult to find and ERROR
to handle them in advance. handle.
ERROR

👉 Invalid path accessed; 👉 Reading properties on undefined;

👉 Invalid user input (validator error 👉 Passing a number where an object ERROR
HANDLING
from mongoose); is expected;
MIDDLEWARE
👉 Failed to connect to server; 👉 Using await without async;

👉 Failed to connect to database; 👉 Using req.query instead of

req.body;
👉 Request timeout;
👉 Etc...
RESPONSE
👉 Etc...
 SECTION 10 —
AUTHENTICATION,
AUTHORIZATION AND
SECURITY
SECTION
AUTHENTICATION, AUTHORIZATION AND
SECURITY

LECTURE
HOW AUTHENTICATION WITH JWT WORKS
HOW JSON WEB TOKEN (JWT) AUTHENTICATION WORKS

CLIENT SERVER

1
POST /login {email, password} 2
If user && password,
4
LOGIN

HTTPS Create unique JWT

Store JWT (cookie
or localStorage) SECRET
3
JWT

5
GET /someProtectedRoute JWT 6
ACCESS

If Valid JWT,
HTTPS Allow access

PROTECTED DATA
7
WHAT A JWT LOOKS LIKE

SECRET
HOW SIGNING AND VERIFYING WORKS

VERIFYING
HEADER + HEADER +
JWT CLIENT JWT
PAYLOAD PAYLOAD
ORIGINAL TEST
SIGNATURE
SIGNATURE SIGNATURE

SECRET SECRET
SIGNING

COMPARE WITH ORIGINAL SIGNATURE

test signature === signature 👉 Data has not been modified 👉 Authenticated

test signature !== signature 👉 Data has been modified 👉 Not authenticated

👉 Without the secret, one will be able to manipulate the JWT data, because they cannot create a valid signature for the new data!
SECTION
AUTHENTICATION, AUTHORIZATION AND
SECURITY

LECTURE
SECURITY BEST PRACTICES
SECURITY BEST PRACTICES AND SUGGESTIONS
👉 COMPROMISED DATABASE
✅ Strongly encrypt passwords with salt and hash (bcrypt)
✅ Strongly encrypt password reset tokens (SHA 256)
👉 BRUTE FORCE ATTACKS
✅ Use bcrypt (to make login requests slow)
↘ Implement rate limiting (express-rate-limit)
⚛ Implement maximum login attempts
👉 CROSS-SITE SCRIPTING (XSS) ATTACKS
↘ Store JWT in HTTPOnly cookies
↘ Sanitize user input data
↘ Set special HTTP headers (helmet package)
👉 DENIAL-OF-SERVICE (DOS) ATTACK
↘ Implement rate limiting (express-rate-limit)
↘ Limit body payload (in body-parser)
✅ Avoid evil regular expressions
👉 NOSQL QUERY INJECTION
✅ Use mongoose for MongoDB (because of SchemaTypes)
↘ Sanitize user input data
👉 OTHER BEST PRACTICES AND SUGGESTIONS
✅ Always use HTTPS
✅ Create random password reset tokens with expiry dates
✅ Deny access to JWT after password change
✅ Don’t commit sensitive config data to Git
✅ Don’t send error details to clients
⚛ Prevent Cross-Site Request Forgery (csurf package)
⚛ Require re-authentication before a high-value action
⚛ Implement a blacklist of untrusted JWT
⚛ Confirm user email address after first creating account
⚛ Keep user logged in with refresh tokens
⚛ Implement two-factor authentication
↘ Prevent parameter pollution causing Uncaught Exceptions
 SECTION 11 —
MODELLING DATA AND
ADVANCED MONGOOSE
SECTION
MODELLING DATA AND ADVANCED
MONGOOSE

LECTURE
MONGODB DATA MODELLING
“DATA... WHAT? 🤔”

M O D E L L I N G
DATA
Example
👇
Different types of relationships
1 between data
Real-world Online
scenario shop

Referencing/normalization vs.
2 embedding/denormalization
categories
cart
Unstructured suppliers
customers Embedding or referencing
data
orders
3 other documents?
products

categories 4 Types of referencing

Structured, logical
products suppliers
data model
customers

orders cart
1. TYPES OF RELATIONSHIPS BETWEEN DATA

1:1 movie name (1 movie can only have 1 name)

👉 1:FEW 👉 1:MANY 👉 1:TON

review log

award review log

1:MANY movie award movie review app log

award hundreds/thousands millions...

(1 movie can win many awards) review log

movie actor
(One movie can have many actors, but
MANY:MANY movie actor
one actor can also play in many movies)
movie actor
2. REFERENCING VS. EMBEDDING

REFERENCED / NORMALIZED EMBEDDED / DENORMALIZED

Main
document
movie

Referencing
(child) EMBEDDING/
DENORMALIZATION

movie
actor

Embedded
documents

REFERENCING /
NORMALIZATION
actor

👍 Performance: we can get all the information in one query

👎 Impossible to query the embedded document on its own
👍 Performance: it’s easier to query each document on its own
👎 We need 2 queries to get data from referenced document
3. WHEN TO EMBED AND WHEN TO REFERENCE? A PRACTICAL FRAMEWORK
👉 Combine all 3 criteria
to take decision!
EMBEDDING REFERENCING

👉 1:MANY
1 RELATIONSHIP TYPE 👉 1:FEW
(How two datasets are 👉 1:TON
👉 1:MANY
related to each other) 👉 MANY:MANY
Movies + Images (100) ?

👉 Data is mostly read

👉 Data is updated a lot
2 DATA ACCESS PATTERNS
👉 Data does not change quickly
👉 (Low read/write ratio)
(How often data is read and
👉 (High read/write ratio)
written. Read/write ratio) Movies + Reviews
Movies + Images

3 DATA CLOSENESS 👉 We frequently need to query

👉 Datasets really belong together
both datasets on their own
(How “much” the data is
User + Email Addresses
related, how we want to query) Movies + Images
4. TYPES OF REFERENCING

CHILD REFERENCING PARENT REFERENCING TWO-WAY REFERENCING

app

movie
app

2M

log
log

actor
log

S O L U T I O N
BEST
log

👉 1:MANY 👉 MANY:MANY

👉 1:FEW 👉 1:TON
SUMMARY 🥳

👉 The most important principle is: Structure your data to match the ways that your application queries and updates data;

👉 In other words: Identify the questions that arise from your application’s use cases first, and then model your data so that
the questions can get answered in the most efficient way;

👉 In general, always favor embedding, unless there is a good reason not to embed. Especially on 1:FEW and 1:MANY
relationships;

👉 A 1:TON or a MANY:MANY relationship is usually a good reason to reference instead of embedding;

👉 Also, favor referencing when data is updated a lot and if you need to frequently access a dataset on its own;

👉 Use embedding when data is mostly read but rarely updated, and when two datasets belong intrinsically together;

👉 Don’t allow arrays to grow indefinitely. Therefore, if you need to normalize, use child referencing for 1:MANY
relationships, and parent referencing for 1:TON relationships;

👉 Use two-way referencing for MANY:MANY relationships.

SECTION
MODELLING DATA AND ADVANCED
MONGOOSE

LECTURE
DESIGNING OUR DATA MODEL
THE NATOURS DATA MODEL

userID: [<id>,
<id>, ..., <id>]
▶ 1:MANY ▶ FEW:FEW
📗 Parent referencing 📙 Embedding

bookings tours locations

C P

tourID: <id> P
C ▶ FEW:FEW ▶ 1:MANY
userID: <id>

tour guides
📘 Child referencing 📗 Parent referencing
or
▶ 1:MANY
📙 Embedding
📗 Parent referencing

P
P C

users reviews
▶ 1:MANY

📗 Parent referencing tourID: <id>

P Parent userID: <id>

C Child
 SECTION 13 —
ADVANCED FEATURES:
PAYMENTS, EMAIL,
FILE UPLOADS
SECTION
ADVANCED FEATURES: PAYMENTS, EMAIL,
FILE UPLOADS

LECTURE
CREDIT CARD PAYMENTS WITH STRIPE
STRIPE WORKFLOW

BACK-END
SECRET KEY

Create Stripe Checkout Session Session

Request Checkout Session

FRONT-END

PUBLIC KEY

Charge Credit Card using Session

ON SUCCESS (ONLY FOR DEPLOYED WEBSITE)

BACK-END

SECRET KEY

Use Stripe Webhook to Create New Booking

SECTION
ADVANCED FEATURES: PAYMENTS, EMAIL,
FILE UPLOADS

LECTURE
FINAL CONSIDERATIONS
CHALLENGES (API) 🤓

👉 Implement restriction that users can only review a tour that they have
actually booked;

👉 Implement nested booking routes: /tours/:id/bookings and /

users/:id/bookings;

👉 Improve tour dates: add a participants and a soldOut field to each

date. A date then becomes like an instance of the tour. Then, when a user
books, they need to select one of the dates. A new booking will increase
the number of participants in the date, until it is booked out
(participants > maxGroupSize). So, when a user wants to book,
you need to check if tour on the selected date is still available;

👉 Implement advanced authentication features: confirm user email, keep

users logged in with refresh tokens, two-factor authentication, etc.
CHALLENGES (WEBSITE) 🤓

👉 Implement a sign up from, similar to the login form;

👉 On the tour detail page, if a user has taken a tour, allow them add a
review directly on the website. Implement a form for this;

👉 Hide the entire booking section on the tour detail page if current user has
already booked the tour (also prevent duplicate bookings on the model);

👉 Implement “like tour” functionality, with favourite tour page;

👉 On the user account page, implement the “My Reviews” page, where all
reviews are displayed, and a user can edit them. (If you know React ⚛,
this would be an amazing way to use the Natours API and train your skills!);

👉 For administrators, implement all the “Manage” pages, where they can
CRUD (create, read, update, delete) tours, users, reviews, and bookings.
END